Firewall Wizards mailing list archives
RE: Cisco Private VLANs
From: "Barry Dykes" <barry () onesec net>
Date: Wed, 20 Dec 2000 14:48:38 -0600
First a little background. I tried to get Cisco to do this about 4
years back. They kept saying that they couldn't do it. Finally I got
Extreme and Foundry to do it. My intention had nothing to do with
security and this feature still has nothing to do with security! It
is marketing crap that calls it "Private/Public". Extreme calls their
Super/Sub-VLANs (and VMAN in some of their new marketing speak). An
RFC is currently in the draft zone and will be put out as an
information RFC pretty soon. However, let me explain how it really
works and what it was supposed to do. The latter first.
It's purpose was basically for IP address conservation. Under the
normal VLAN setup you must allocate a block of IP space for each
customer. If you just give them enough to address their single
server, like a /30, then when they add another server you must either
give them another /30 or have them renumber into a /29. Now when you
consider that you are really only using 1 IP address per server and
only really need a default address to point at, you end up with many
IP address just "laying around unused or unusable".
How it works - What the SuperVLAN (or PublicVLAN) allows you to do is
use one large IP block, with one default IP address and one network
and broadcast address. All of the other address can be given to
hosts/servers below. The SuperVLAN is basically a layer three
decision and does proxy ARP so that each device can also reach other
hosts on the same network. Read the RFC on VLAN aggregation when it
comes out or pull
http://search.ietf.org/internet-drafts/draft-mcpherson-vlan-ipagg-00.t
xt to find out more. As you can see - security must be done at the
server! The "private" (or subVLAN) is nothing more than a regular
bridge group associated with a tag (a VLAN)!
Barry
-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Zarcone, Christopher Sent: Wednesday, December 06, 2000 9:10 AM To: firewall-wizards () nfr net Subject: [fw-wiz] Cisco Private VLANs Wizards, I know there have a lot of religious-war threads about the use of VLANs as security enforcement technologies. (I know firsthand because I started a few of them :-) Be that as it may, Cisco has recently introduced "Private VLANs" with their Catalyst 6000 series of switches. According to the whitepapers, Private VLANs allow you to "isolate" ports within a VLAN, such that they can only communicate with other designated ports in the VLAN (like the port for your router/default gateway). Supposedly an isolated port cannot communicate with other isolated ports (e.g. one PC can't talk to another PC, even though they're in the same VLAN). Cisco promotes the use of this in provider co-location facilities, primarily for IP address conservation but also for cross-customer security. It all sounds good in theory, but is anyone aware of any security issues or known vulnerabilities? For example, I know that with some of the other older Catalysts, you could cause frames to jump VLANs (and therefore jump enforcement boundaries) by creating frames with bogus 802.1q headers prepended. I heard Cisco corrected the problem, but it only makes you wonder what other VLAN gremlins might be lurking out there... TIA, Christopher Zarcone, CISSP Senior Consultant christopher.zarcone () netigy com Netigy Corporation www.netigy.com My opinions do not necessarily represent the opinions of my employer. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards ------------------------------------------------------------ --------- To unsubscribe, e-mail: firewall-wizards-unsubscribe () onesec net For additional commands, e-mail: firewall-wizards-help () onesec net
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco Private VLANs Zarcone, Christopher (Dec 08)
- RE: Cisco Private VLANs Barry Dykes (Dec 20)